Limitations on the Strategic Use of Ransomware in Armed Conflicts
Editor’s Note: This post is derived from an article-length work published in the U.S. Naval War College’s International Law Studies journal.
Attempts to influence public support for armed conflicts through strategic targeting of civilians and civilian objects during armed conflicts have had a mixed record of success, at best. Belligerents on both sides of the Second World War targeted civilian objects to reduce civilian support for the war. While dropping atomic bombs on Hiroshima and Nagasaki certainly ended the war in the Pacific, Axis and Allied powers’ overall efforts to reduce civilian morale through strategic bombing were limited. More recently, the Russian military has targeted Ukrainian civilian infrastructure in a similar vein, including attacks on schools and hospitals. Investigators have catalogued other war crimes against civilian targets to erode the resolve of the Ukrainian people and press Russian territorial and political demands.
Although devastating to civilians in these conflict zones, such strategic targeting often has the opposite effect, hardening rather than weakening civilian resolve. It should perhaps be unsurprising that seeing their village or neighborhood destroyed and their countrypeople killed has produced visceral anger and a willingness to fight in civilian victims. Why not fight when so much has already been lost? Additionally, any lack of clarity as to the illegality of the intentional violent targeting of civilians and civilian objects has been long resolved. The precise reasons for international support for Ukraine are difficult to discern, but surely much support stems from public sympathy for Ukraine’s losses to Russian atrocities against civilians.
Despite the historical failings of violent strategic targeting campaigns against civilians, non-violent targeting of civilians remains a mainstay of military strategy. Psychological operations (PsyOps) or Military Information Support Operations (MISO) are but one enduring form. Unlike violent operations, strategic targeting of civilians with non-violent information campaigns implicates fewer, though still some, international legal restrictions. As States explore avenues to achieve strategic effects against civilian populations during armed conflict, one underexplored means is the use of ransomware.
Ransomware Methodology
Ransomware is a type of malicious software designed to deny access to an information system or its resident data until a ransom is paid. The data is held for ransom through encryption, theoretically allowing complete restoration of access once the demand, typically money in the form of cryptocurrency, is delivered. By many measures, ransomware has proven to be the most successful method of cyber-criminal activity, with targets as diverse as hospitals, corporations, and local governments. The University of California San Francisco (UCSF), for example, paid $1.14 million after a ransomware gang, thought to be Netwalker, encrypted servers used by the UCSF School of Medicine. The payouts associated with ransomware operations have risen continually over the last half-decade.
Ransomware operations have been most effective when targeting servers that support critical public functions, increasing public pressure for immediate payouts. Critical infrastructure has not been immune from such operations, as seen with the Colonial Pipeline incident in 2021. Beyond criminal organizations, States, such as Russia and North Korea, have already used ransomware operations for various purposes. Ransomware has proven to be a remarkably resilient form of coercive behavior. States have struggled to find policy solutions to deter ransomware operations, as operators continue to add new twists to their methods, from deleting backup systems simultaneously to encrypting the primary data set. The potential of tapping into such public pressure raises the specter of ransomware use in armed conflicts by States. I addressed this issue in my article, examining the potential strategic use of ransomware as a method of warfare from a legal perspective.
Ransomware in Armed Conflict
Before offering a legal analysis of ransomware, it is worth discussing why and how States might use this capability in armed conflicts. Ransomware can be distinguished from other types of cyber operations in that it is coercive rather than exploitative. On the one hand, most cyber operations seek to exploit an adversary’s information systems to gain an operational or intelligence advantage. Relevant examples are the loss of functionality of a command and control system and gaining a better understanding of an enemy’s weapon systems. Ransomware, on the other hand, seeks to force an adversary to take action it otherwise would not.
This post does not address the use of ransomware against military targets, although there may be interesting implications on questions of proportionality against “dual-use” objects worth addressing. Rather, this post focuses on the use of ransomware against purely civilian targets in armed conflicts for strategic purposes. Whereas violent operations against civilians and civilian objects have had the dual drawbacks of being unproductive and illegal, ransomware operations may be able to achieve the desired effects without violating the laws of war as a non-violent method of warfare.
For example, suppose an adversary is targeting civilian objects with violent means. Reciprocating with violent operations to induce the bad actor to cease the practice would be fraught with legal and moral issues. Additionally, such operations may be far more likely to lead to escalation than to eliminate the illegal activity. However, acting against similar targets of the adversary with non-violent ransomware operations, with the “ransom” demand being a cessation of the adversary’s illegal activity, would be a much more acceptable practice with less likelihood of escalation.
Another potential example is a widespread ransomware campaign against important social or economic targets to induce the adversary to negotiate an end to the conflict. Such a campaign could potentially be achieved without any permanent damage to civilian infrastructure. Potentially, the lack of visible physical damage and the associated death or injury to civilians typically accompanying such operations might also reduce the “fight” response of the civilian population. Whereas the damage from a strategic bombing campaign cannot be immediately undone, encrypted data can immediately be decrypted. Perhaps most importantly, such a campaign could be conducted within the limits placed on States by the laws of war. With such potential uses in mind, the remainder of this post examines the legal factors most likely to affect strategic ransomware uses against civilian targets.
Legal Implications
Scholars and States alike continue to debate whether there are any limitations on the use of cyber operations that lack physically violent effects while affecting the functionality of information systems. Fundamental law of war questions such as the definition of “attack” and qualification of data as an object remain unresolved, hindering the development of clear legal guidelines. Additionally, examples of States targeting civilian objects through cyberspace in armed conflicts to achieve military advantage are limited, slowing the establishment of useful guidelines of State practice and opinio juris. However, the lack of significant case studies should not preclude exploring the different methods States might use in offensive cyber operations against civilian targets, including identifying potential legal limitations.
While legal analysis of ransomware operations mirrors the general protections of civilian data in armed conflicts, the specifics of ransomware operations raise essential analytical differences. The first distinguishing characteristic of ransomware operations is the length of time that system functionality may be affected. For those States that have adopted a functionality-related test to determine when an “attack” occurs in cyberspace, the time required to restore functionality is a key factor. For example, there is relatively little support for the view that a denial of service operation causing brief system outages is an attack. The DoD Law of War Manual mentions cyber operations that cause a brief disruption of communications as an example of an operation that would fail to qualify as an attack (§ 16.5.2). Conversely, the delivery of malware that completely corrupts an operating system, resulting in permanent loss of functionality, is much more likely to qualify as an attack.
While it is tempting to view ransomware operations as equivalent to other offensive cyber operations that employ destructive malware, there are key differences that must be addressed. First, ransomware is different because the time element is likely to differ in every instance. If the conditions of the ransom are met immediately, then the loss of functionality might end immediately. Equally possible is that the encryption is never released, effectively resulting in a permanent loss of functionality or a rebuilding of the affected database.
The second significant difference is that a properly conducted ransomware operation does not corrupt, damage, or destroy data. Instead, the operator preserves the data, albeit in an encrypted, inaccessible state. If the data is permanently corrupted as opposed to simply encrypted, its use as a coercive tool would be nullified as the incentive to comply is removed. This limitation removes ransomware variants, such as NotPetya, that lack the ability to decrypt the data from consideration in this conversation. Additionally, sophisticated State actors can take a targeted approach as to which dataset they encrypt. Certain types of operational data, such as an operating system or applications, could be left functional, while content datasets, such as a client information database, could be encrypted. Such an operation might leave the system technically functional, with all data intact, while still inflicting significant inconvenience on the user.
Using cyber capabilities to lock civilian users out of even content-level datasets raises the question whether such operations can be viewed as a seizure of property, which is prohibited in some circumstances under the law of war. For instance, the First Geneva Convention’s Article 50 prohibits the “extensive destruction and appropriation of property, not justified by military necessity and carried out unlawfully and wantonly.” Here, we return to the issue of objects and property. Data is not “physical and tangible,” and its acceptance as an “object” has mixed support from States. Furthermore, when data is considered under the law as property, it is generally viewed as intellectual property. This is true under both domestic and international legal systems. Unlike personal property, intellectual property has no general protection under the laws of war. Thus, attempting to view ransomware as an illegal seizure of property under the laws of war also falls short, barring a significant change in the legal understanding of non-tangible digital data.
At this point, asking if there are any protections for civilian data from ransomware operations in armed conflicts is tempting. However, the failure of ransomware to qualify as either an attack or an illegal wartime seizure of property does not mean its use in armed conflicts is unlimited. The laws of war provide additional protections beyond general targeting law to numerous categories of potential targets. In my article, I review the categories that primarily apply to potential ransomware operations, such as medical data, civil defense organizations, and objects indispensable to the civilian populace (among others). While it is beyond the scope of this post to examine each of those categories individually, it is worthwhile to explore these special protections as a general matter.
Special Protections
Special protections frequently differ from the general targeting rules because they are not limited to situations of “attack.” The language often used to differentiate these protections is to “respect and protect.” For example, Article 19 of the First Geneva Convention states that units “of the Medical Service may in no circumstances be attacked, but shall at all times be respected and protected by the Parties to the conflict.” States widely interpret the inclusion of the “respect and protect” phrase as prohibiting interference with “discharging their proper functions,” such as is found in the DoD Law of War Manual (see e.g. § 7.8.2). In other words, States’ operations must not affect their functionality.
Categories of special protections that might apply to ransomware operations include the aforementioned medical data, the rising issue of digital cultural property, religious data associated with the spiritual care of the armed forces, civil defense organizations, and objects indispensable to the civilian populace, among others. While not all of these special protections use the “respect and protect” language, they all contain protections beyond those of civilian objects. Protections in Additional Protocol I Article 54(2) for objects indispensable to the civilian populace, for example, prohibit an operation to “render useless” such objects for the purpose of denying their value to the civilian populace of an adverse party, “whatever the motive.”
By moving beyond the pure language of “attacks,” some of these protections bypass the previously identified limitations on applying the laws of war to cyber operations, including ransomware. The encryption of hospital data used in any manner to provide patient care would undoubtedly fail to “respect and protect” medical units. It should be noted that each special protection is unique and must be analyzed individually to determine its applicability in the case of ransomware operations. However, they provide essential protection to many forms of civilian data.
War-Sustaining Objects
Finally, no discussion of intentional operations against civilian targets is complete without a discussion of the thorny issue of war-sustaining objects. These have been described as objects that “indirectly but effectively support the enemy’s overall war effort” (AMW Manual, Rule 24). Such targets might include data sets of high social or economic value, exactly the data sets that would be most effective for strategic ransomware operations. The United States has repeatedly taken the position that the targeting of such objects can meet the definition of a military objective (see DoD Law of War Manual § 7.8.2 and The Commander’s Handbook on the Law of Naval Operations § 5.3.1). It should be noted that this view is not widely held by scholars and other States. Nevertheless, should the law develop to include ransomware operations as “attacks” against “objects,” many of the targets most useful as strategic targets may be considered valid as war-sustaining objects.
Conclusion
Despite the special protections, there are many categories of civilian data unprotected from ransomware operations in armed conflicts. The intentional targeting of many of these data sets through ransomware does, however, strike one as unnecessarily cruel and unethical. A potential example would be a ransomware operation targeting the pension system of elderly, retired civilians. Unfortunately, in my opinion, States have not made the necessary changes in international law to protect such targets from strategic ransomware operations in armed conflicts. As such, an intense effort should be undertaken to develop normative limitations, such as those suggested by Professor Michael Schmitt, to protect the most vulnerable civilians. In time, such normative restrictions may ripen into customary law and provide more definitive protection. However, current State practice and opinio juris relating to cyber operations are insufficient to find a definitive prohibition on ransomware operations against most civilian targets during armed conflicts.
***
Jeff Biller is an Associate Professor of Cyber Law and Policy with CyberWorx, a department of the Office of Research at the United States Air Force Academy (USAFA).
Photo credit: Unsplash